I want to be able to offer ssh accounts on my linux server for people to be able to use for SSH tunnelling. All accounts will be locked down with no interactive shell, for tunnelling / port forwarding purposes only. My problem is that I don't want them to be able to access services that are bound to localhost only by doing port forwards like the following:

ssh account@server -L 9999:127.0.0.1:3306 && telnet localhost 9999

Would give access to the default mysql database port.. How can I stop this?

I see options in the configuration file for OpenSSH to allow specific ports/hosts, but not to block them. Any help would be greatly appreciated :)

Put all your users into the same group, put that group in the rule, and put that rule at the top of your list before any allow rules. Note that I used 127.0.0.0/8 -- anything in the 127 netblock will get you to the local host, so don't just block 127.0.0.1.

Also, consider adding a similar rule to block access to your external interface IP. It is a crafty way to bypass the firewall rules.

If you only fixed port forwardings are permitted, then you may restrict them with permitopen="host:port". Google claimed some commercial ssh daemon that offers a restricted port forwarding option, but that looked global, not just one user.